def __get_role_arn(self, role_logical_id, deployment_name):
role_path = self.__context.config.get_project_stack_name()
if self.__find_role_in_template(role_logical_id, self.__context.config.deployment_access_template_aggregator.effective_template):
if deployment_name is None:
deployment_name = self.__context.config.default_deployment
if deployment_name is None:
raise HandledError('The deployment access role {} was specified, but no deployment was given and there is no default deployment set for the project.'.format(role_logical_id))
stack_arn = self.__context.config.get_deployment_access_stack_id(deployment_name)
role_path = role_path + '/' + deployment_name
elif self.__find_role_in_template(role_logical_id, self.__context.config.project_template_aggregator.effective_template):
stack_arn = self.__context.config.project_stack_id
deployment_name = None
else:
raise HandledError('Role could not find role {} in the project or deployment access templates.'.format(role_logical_id))
role_physical_id = self.__context.stack.get_physical_resource_id(stack_arn, role_logical_id)
account_id = util.get_account_id_from_arn(stack_arn)
role_arn = 'arn:aws:iam::{}:role/{}/{}'.format(account_id, role_path, role_physical_id)
self.__context.view.using_role(deployment_name, role_logical_id, role_physical_id)
return role_arn
def token_exchange_handler_id(self):
token_exchange_handler_name = self.project_resources.get('PlayerAccessTokenExchange', {}).get('PhysicalResourceId', None)
if token_exchange_handler_name is None:
raise HandledError('The project stack {} is missing the required PlayerAccessTokenExchange resource. Has {} been modified to remove this resource?'.format(
self.project_stack_id,
self.project_template_aggregator.base_file_path))
return 'arn:aws:lambda:{region}:{account_id}:function:{function_name}'.format(
region=util.get_region_from_arn(self.project_stack_id),
account_id=util.get_account_id_from_arn(self.project_stack_id),
function_name=token_exchange_handler_name)
def __get_mappings(context, deployment_name, exclusions, role, args=None):
mappings = {}
deployment_stack_id = context.config.get_deployment_stack_id(
deployment_name)
region = util.get_region_from_arn(deployment_stack_id)
account_id = util.get_account_id_from_arn(deployment_stack_id)
context.view.retrieving_mappings(deployment_name, deployment_stack_id,
role)
player_accessible_arns = __get_player_accessible_arns(
context, deployment_name, role, args)
resources = context.stack.describe_resources(deployment_stack_id,
recursive=True)
for logical_name, description in resources.iteritems():
if logical_name in exclusions:
continue
physical_resource_id = description.get('PhysicalResourceId')
if physical_resource_id:
if __is_user_pool_resource(description):
mappings[logical_name] = {
'PhysicalResourceId': physical_resource_id,
'ResourceType': description['ResourceType'],
'UserPoolClients': description[
'UserPoolClients'] # include client id / secret
}
else:
resource_arn = util.get_resource_arn(
description['StackId'],
description['ResourceType'],
physical_resource_id,
optional=True,
context=context)
if resource_arn and resource_arn in player_accessible_arns:
if __is_service_api_resource(description):
__add_service_api_mapping(context, logical_name,
description, mappings)
else:
mappings[logical_name] = {
'PhysicalResourceId': physical_resource_id,
'ResourceType': description['ResourceType']
}
k_exchange_token_handler_name = 'PlayerAccessTokenExchange'
if k_exchange_token_handler_name not in exclusions:
login_exchange_handler = context.stack.get_physical_resource_id(
context.config.project_stack_id, k_exchange_token_handler_name)
if login_exchange_handler != None:
mappings[k_exchange_token_handler_name] = {
'PhysicalResourceId': login_exchange_handler,
'ResourceType': 'AWS::Lambda::Function'
}
#now let's grab the player identity stuff and make sure we add it to the mappings.
access_stack_arn = context.config.get_deployment_access_stack_id(
deployment_name, True if args is not None and args.is_gui else False)
if access_stack_arn != None:
access_resources = context.stack.describe_resources(access_stack_arn,
recursive=True)
for logical_name, description in access_resources.iteritems():
if description['ResourceType'] == 'Custom::CognitoIdentityPool':
if logical_name in exclusions:
continue
mappings[logical_name] = {
'PhysicalResourceId': description['PhysicalResourceId'],
'ResourceType': description['ResourceType']
}
if 'region' not in exclusions:
mappings['region'] = {
'PhysicalResourceId': region,
'ResourceType': 'Configuration'
}
if 'account_id' not in exclusions:
mappings['account_id'] = {
'PhysicalResourceId': account_id,
'ResourceType': 'Configuration'
}
return mappings
def __get_mappings(context, deployment_name, exclusions, role, args=None):
iam = context.aws.client('iam')
mappings = {}
deployment_stack_id = context.config.get_deployment_stack_id(deployment_name)
region = util.get_region_from_arn(deployment_stack_id)
account_id = util.get_account_id_from_arn(deployment_stack_id)
# Assemble and add the iam role ARN to the server mappings
deployment_access_stack_id = context.config.get_deployment_access_stack_id(deployment_name, True if args is not None and args.is_gui else False)
server_role_id = context.stack.get_physical_resource_id(deployment_access_stack_id, role, optional=True)
server_role_arn = iam.get_role(RoleName=server_role_id).get('Role', {}).get('Arn', '')
context.view.retrieving_mappings(deployment_name, deployment_stack_id, role)
player_accessible_arns = __get_player_accessible_arns(context, deployment_name, role, args)
lambda_client = context.aws.client('lambda', region=region)
resources = context.stack.describe_resources(deployment_stack_id, recursive=True)
for logical_name, description in resources.iteritems():
if logical_name in exclusions:
continue
physical_resource_id = custom_resource_utils.get_embedded_physical_id(description.get('PhysicalResourceId'))
if physical_resource_id:
if __is_user_pool_resource(description):
mappings[logical_name] = {
'PhysicalResourceId': physical_resource_id,
'ResourceType': description['ResourceType'],
'UserPoolClients': description['UserPoolClients'] # include client id / secret
}
else:
stack_id = description['StackId']
s3_client = context.aws.client('s3')
type_definitions = context.resource_types.get_type_definitions_for_stack_id(stack_id, s3_client)
resource_arn = aws_utils.get_resource_arn(
type_definitions=type_definitions,
stack_arn=stack_id,
resource_type=description['ResourceType'],
physical_id=physical_resource_id,
optional = True,
lambda_client=lambda_client
)
if resource_arn and resource_arn in player_accessible_arns:
if __is_service_api_resource(description):
__add_service_api_mapping(context, logical_name, description, mappings)
else:
mappings[logical_name] = {
'PhysicalResourceId': physical_resource_id,
'ResourceType': description['ResourceType']
}
k_exchange_token_handler_name = 'PlayerAccessTokenExchange'
if k_exchange_token_handler_name not in exclusions:
login_exchange_handler = context.stack.get_physical_resource_id(context.config.project_stack_id, k_exchange_token_handler_name)
if login_exchange_handler != None:
mappings[k_exchange_token_handler_name] = { 'PhysicalResourceId': login_exchange_handler, 'ResourceType': 'AWS::Lambda::Function' }
#now let's grab the player identity stuff and make sure we add it to the mappings.
access_stack_arn = context.config.get_deployment_access_stack_id(deployment_name, True if args is not None and args.is_gui else False)
if access_stack_arn != None:
access_resources = context.stack.describe_resources(access_stack_arn, recursive=True)
for logical_name, description in access_resources.iteritems():
if description['ResourceType'] == 'Custom::CognitoIdentityPool':
if logical_name in exclusions:
continue
mappings[logical_name] = {
'PhysicalResourceId': custom_resource_utils.
get_embedded_physical_id(description['PhysicalResourceId']),
'ResourceType': description['ResourceType']
}
if 'region' not in exclusions:
mappings['region'] = { 'PhysicalResourceId': region, 'ResourceType': 'Configuration' }
if 'account_id' not in exclusions:
mappings['account_id'] = { 'PhysicalResourceId': account_id, 'ResourceType': 'Configuration' }
if 'server_role_arn' not in exclusions and role is not 'AuthenticatedPlayer':
mappings['server_role_arn'] = { 'PhysicalResourceId': server_role_arn, 'ResourceType': 'Configuration' }
return mappings